Page MenuHomePhabricator

Requesting access to restricted production access and analytics-privatedata-users for Kalliope Tsouroupidou
Closed, ResolvedPublicRequest


Username: ktsouroupidou (also ldap account and Kalliope (WMF) on wikitech)
Full name: Kalliope Tsouroupidou

I'd like to request access for @Kalliope WMF to what I believe will be the restricted group and analytics-privatedata-users (the same that I have). Trust and Safety has had a number of workflows requiring shell access and private analytics logs (hadoop). Many of our workflows (including these ones) have been increasing and the only two people on our team with access are myself and Joe Sutherland. This has caused some major bottleneck issues at times and we want to expand the available people within our team to include other members of the T&S Operations team which includes Kalli.

Specifically some of the workflows she needs to be able to do (and I believe needs this access for):

  • Run maintenance scripts (mwmaint servers) to:
    • To remove 2FA for users who have lost their backup codes (after identity verification)
    • To add or reset user email addresses when locked out of their account (again after identity verification)
    • To permanently remove illegal images from the servers
  • Lookup private information such as user email addresses for legal or T&S investigations (such as urgent threats of harm or court orders).
  • Query webserver logs for private information such as IPs which have viewed certain pages (usually court orders)

Kalliope has already signed L3. @JanWMF is our people manager and I'll have him comment here in support. As always please let me know if any issues or questions. Kalli will post here with their public key.

SRE Clinic Duty Checklist for Access Requests

Most requirements are outlined on

This checklist should be used on all access requests to ensure that all steps are covered. This includes expansion to access. Please do not check off items on the list below unless you are in Ops and have confirmed the step.

  • - User has signed the L3 Acknowledgement of Wikimedia Server Access Responsibilities Document.
  • - User has a valid NDA on file with WMF legal. (This can be checked by Operations via the NDA tracking sheet & is included in all WMF Staff/Contractor hiring.)
  • - User has provided the following: wikitech username, preferred shell username, email address, and full reasoning for access (including what commands and/or tasks they expect to perform.
  • - User has provided a public SSH key. This ssh key pair should only be used for WMF cluster access, and not share with any other service (this includes not sharing with WMCS access, no shared keys.)
  • - access request (or expansion) has sign off of WMF sponsor/manager (sponser for volunteers, manager for wmf staff)
  • - non-sudo requests: 3 business day wait must pass with no objections being noted on the task - 3 business day wait ends on Monday, 2018-08-27.
  • - Patchset for access request &

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrzndpk6uVWUuKtLufbwXqzQ4ytn15zfveCPBWSKgGrhAPfrscyeF/jDqSEBhT2CprU8UyD20sAi9SeAsvLUakZ2z6vRG/XNbqLSfOGZudXEf9gkBOt9KdL5ycTRXWHIHLmRM/aWWAamp6tp4YArOD8Tao82caFmP8ikA/x0zM+K4DitOqWteG/CEbyOzdjF4kg2bWPrvHvhbyM3yKFKftn3EFn2owqCw7s/ACiigQjBbaEKxc4NKDrA7LQW5KXQ5RZkGSPMNT6t+jJ93Tlbm0MDQ7tGFJ3oZNRrpGZ4UlbRqURNGfepUYtFxJniX0+N7woi5KFhT+WTnV/4GfckReQj+f0XeoBlfqU4dsNABIumn/LZy2pWq5xBC2GNLZohWh04q+qRIgzn3Gw5W+R3LHTEV1xcx/8mTHY2rrKexAMkzm8koP+0UYV/pQEPzEtC3mx0YbyYmoqOlWimvYnZQjovdJPqNpp9gF1xUbmav+2AfRoVCRJYpk3d62lr2Us3zPh1QrU3+xbQyMwAWDVPIOx6TJFsJ7NW86obtYPY0CIjZxyL3SgusVy242i/DFGraudMVYG8pPCxdM4inZmIUiZGVJR9hcT3T2eFTxQujzi2I4/LZvFXqy2Vw19ErMLM7J4klFug3cojKEDH78J9kmKSfbmU+lCm7E+z8wbhU6RQ== ktsouroupidou@ktsouroupidouwmf1632

Change 454712 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding new shell user Kalliope Tsouroupidou

Change 454713 had a related patch set uploaded (by RobH; owner: RobH):
[operations/puppet@production] adding user ktsouroupidou to groups

RobH triaged this task as Medium priority.Aug 22 2018, 10:47 PM
RobH updated the task description. (Show Details)
RobH moved this task from Untriaged to 3 Business Day Wait on the SRE-Access-Requests board.
RobH added a subscriber: RobH.

I neglected to note restrited is a sudo group, and thus this will require approval in our weekly SRE meeting (next Monday.)

This was approved in today's SRE team meeting.

Change 454712 merged by ArielGlenn:
[operations/puppet@production] adding new shell user Kalliope Tsouroupidou

Change 454713 merged by ArielGlenn:
[operations/puppet@production] adding user ktsouroupidou to groups

As soon as the user verifies that access works as expected, we can close this ticket.

Hey @Kalliope please let us know that access to the logs and the mwmaint servers works for you, and we'll close this ticket.

Unfortunately when I did the set up I opted for "no password" but then the system wouldn't let me in. So, i had to overwrite it and create a new one. Sorry about that! Here is the new ssh key, so you can set up a new thing for me. My apologies!!

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZngauhpFPS3juUnzfOylOOCSebKHoN975P54IfBmDKImYU4XMbg9nD1ACDkWcIv3erUu4WMWNhS8K22gk6kMkTOTSOQ0ZVF6fAd1EFZTqost1iu7LPO7DkAMcYoHF+LlfFjVnK6ueK5Yt+TNqZA08r+b7mMTjf9AA+/GzPhfC9NkSMAxZ4B17IOPCAKgV6tQWV2JndzirQcl11bu5pqXvIQFhWD0vqa2RvUwg6bySXqwLmUxLs6Vp1tRXiIFtTgy5CTT0OAM9FirEA45cambO7FYCsTuiD3CQysfCxQNZaU0LTGZ+Shy1WdMqJN+hvZRmjM1plM22o+RIr8iu586Os7sjxeWS1ERQ58Bk2l4z/lz/GV3MqUFPUI5GjvVAAx5BGyPUOMyuGW+f82SsudFpY4nFDtYp6w+cTZo6UGWhX/LMLjc2uxG62nATwnF2JxLt5wEq8X9rGp2NIbBzZDP8rCrr2q+/gUjwbc1Aw80RvO5dJ/c7aO9jifQZm6DWyGm/5rAE9cZoWqw6pvs2BAyw9hZiPMdIE/9c1Kydao4968Db9Y72gFjBs+Kp1bNQCL9YHbOCVhZ9pwgqr7uBCyxco8IdmFlNZBu63KidXFZ/rpSxP1lTXUo6Wwe/lr+x35y/sdj1a0NA9p+TpXR7qkEX+KCvsppMGhCIf+AsDXACZQ== ktsouroupidou@ktsouroupidouwmf1632

Change 460576 had a related patch set uploaded (by Ayounsi; owner: Ayounsi):
[operations/puppet@production] Update SSH key for user ktsouroupidou

Change 460576 merged by Ayounsi:
[operations/puppet@production] Update SSH key for user ktsouroupidou

Update, @Kalliope let us know if you're all set.

RobH reassigned this task from ayounsi to Kalliope.
RobH added a subscriber: ayounsi.


This should be all set for you. If there is an issue, please reopen this task.

It's worked great. Thank you for your help!!